IBM Security MaaS360

 View Only

Actionable Quarantine Templates: Mitigate Organisation Risk

By Neha Yadav posted Fri March 15, 2024 04:04 AM

  

Requirement

The Security Dashboard allows administrators to take various action on user/device in order to mitigate the risks. But taking actions one by one on {n} user/device can be tedious and prone to human error. Admin needs something that is predefined and where all the possible actions supported on Security Dashboard to quarantine user/device can be viewed and picked as per organisations need.

Overview

Quarantine templates allows an admin to select and set multiple actions based on requirement. At max three templates can be set in Security Dashboard. Once the template are set, admin can use these template to take multiple actions at once on user/device with just few clicks. The feature is enabled for anyone who has URM(User Risk Management) or Endpoint Security enabled. URM is enabled by default for Endpoint Security.

Feature Details
 
How to set the Quarantine Templates once login to Security Dashboard is success ?
 
Click on setting and choose Quarantine template. UI of Quarantine template will load. Please note when admin login's for first time in quarantine template, all three templates, actions are set to default/empty state. Admin can set up actions in the templates. Its not mandatory to set all three templates at one go. On need basis template values can be managed over a period of time. 

From settings menu select Quarantine Template to setup the Actions
   Screenshot of Default Template - When no actions are set in any of the Templates

  Screenshot of Template - When actions are set
 
What are the operations allowed on the templates ?
There are several operation that Admin can take on templates. Any action apart from name change will require verification via password prompt.
  • Ability to change the name of the templates which is more appropriate for the Admin
  • Set the Actions values from the given options
  • Reset to default state. Pls note this action will bring template to default state

Workflows where Quarantine Templates comes into play ?

There are three workflows in total where Quarantine Templates comes in play fro user and device(s)

   - Top Risky Users workflow  

  - User List workflow 

   - Within Summary View admin can take action on user aswell as on device(s)

Quarantine Templates in Play

When Admin decides to taken action on user/device select Quarantine user/device from floating menu from the selected workflow. Quarantine pop up will open, which will provide a means to select the template from the available once. 

If template is set all the actions/values set will be displayed on right. This section gives an overview of what action will be applied once the template is applied. If template is not set, description will be empty. A link is provided to set the template values if needed.

Screenshot of Template in use - When actions are set

Screenshot of Template in use - When no actions are set

Is Quarantine Templates too rigid ?
 
With the limitation of three templates it can be easily assumed that it is rigid. But everyflow has one more option "Custom", it is the empty template which admin can select options from while taking the action. But with "Custom" template settings are not stored for future reference unlike Quarantine templates. Custom template is  for one time use only.

Screenshot of  Custom Template option

Screenshot of Custom Template - Set and Apply on user/device
Technology used to support Quarantine temple
 
The backbone of Quarantine template is Opensearch where  data and metadata is stored for all the templates. Any change in templates is stored in history index. While current state state is part of quarantine template index. Templates current and changed settings difference is computed in middle layer which is in Java and UI is created in React.

NOTE:

In order to enable Quarantine feature, customer should either contact support or their account representative to have the customer property enabled.





 

0 comments
29 views

Permalink